The US Government Accountability Office (GAO) has issued a report focusing on medical device cybersecurity, aiming to tackle deficiencies in federal agencies’ authority, investigate obstacles in accessing federal support, and offer recommendations to improve government coordination in this domain. The GAO’s examination reveals that the current 5-year-old agreement, developed to coordinate efforts in managing medical device cybersecurity, falls short in addressing all key practices. It requires an immediate update to align with organizational and procedural changes that have transpired since 2018.
The GAO, Congress’s audit, evaluation, and investigative arm is dedicated to assisting Congress in fulfilling its constitutional duties and improving the performance and accountability of the federal government. GAO routinely assesses the usage of public funds, federal programs, and policies, providing analyses, recommendations, and support for well-informed congressional decisions. Despite the apparent rarity of cybersecurity incidents related to medical devices in hospitals based on available data, the Department of Health and Human Services (HHS) emphasizes the importance of these devices, considering them potential sources of cybersecurity concern. This acknowledgment reflects a proactive approach to preemptively address potential threats, aligning with the ultimate goal of safeguarding healthcare infrastructure. Non-federal entities, representing health care providers and patients, have articulated challenges in accessing federal support to effectively address cybersecurity vulnerabilities associated with medical devices. These challenges involve both a lack of awareness regarding available resources or contacts and difficulties comprehending the intricate nature of vulnerability communications from the federal government.
In actively overseeing medical device cybersecurity, agencies such as the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated extensively to tackle potential risks. However, the GAO identifies a need for the rejuvenation of the existing agreement that guides these collaborative endeavors. The call for an updated agreement arises from evolving cybersecurity practices and the need to accommodate changes that have transpired since 2018. This requirement becomes particularly necessary considering the expanded authority vested in the FDA concerning medical device cybersecurity. Recent legislation, effective from December 2022, mandates that manufacturers submit comprehensive plans for monitoring, identifying, and mitigating cybersecurity vulnerabilities in new devices slated for introduction from March 2023 onward.
Recognizing the changes to healthcare regulations, the GAO aptly acknowledges that FDA officials have initiated the implementation of new cybersecurity authorities. These officials, as of the current assessment, do not identify a pressing need for additional authority. To strengthen device cybersecurity within the parameters of existing measures, the FDA assumes a diverse role. This includes active monitoring of alerts within the health sector and those issued by CISA, directing manufacturers to transparently communicate identified vulnerabilities to user communities, and facilitating the remediation of such vulnerabilities. The proactive stance is further showcased by FDA guidance, which asserts that failure on the part of manufacturers to address identified vulnerabilities may lead to the device being considered in violation of federal law, inviting potential enforcement actions.
The field of medical device cybersecurity includes interactions between government agencies, non-federal entities, and legislative frameworks, creating a complex environment. The challenges highlighted by the GAO highlight the difficulty in cybersecurity preparedness in the healthcare sector. The call for an updated agreement and the acknowledgment of expanded FDA authority signifies a commitment to proactively address potential threats and safeguard medical devices key to patient care and broader healthcare infrastructure. This comprehensive approach not only tackles existing challenges but also anticipates evolving cybersecurity threats in healthcare. The GAO’s review highlights the need for an updated FDA-CISA agreement to coordinate effectively on medical device cybersecurity challenges. This update is necessary for ensuring strong protection, preventing disruptions, and preserving the integrity of patient care and health data. The endorsement of GAO’s recommendations by both FDA and CISA demonstrates their shared commitment to improving collaborative efforts in healthcare.